WORM_DELF.FKZ Help me get rid of it

Microsoft Windows vista home premium w/s...
April 22, 2010 at 12:31:35
Specs: Windows Vista Home Premium, AMD Turion X2 Dual-Core Mobile/ 3GB Ram
Can someone help me get the virus
WORM_DELF.FKZ off my machine?

See More: WORM_DELF.FKZ Help me get rid of it

Report •


#1
April 22, 2010 at 14:12:55
Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt (do not zip just copy/paste)

Save both reports to your desktop then post them please.You may need to post in segments to get all the info to us as the logs may be to large to fit in one post.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Report •

#2
April 25, 2010 at 13:32:26
Here are the logs, in order:
DDS.txt


DDS (Ver_10-03-17.01) - NTFSx86
Run by ROSTAMI1 at 15:12:26.25 on Sun 04/25/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2813.1736 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\ROSTAMI1\Downloads\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\rostami1\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.shockwave.com/gamelanding/rr2detonator.jsp"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NDSTray.exe] NDSTray.exe
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ICSDCLT] c:\windows\rundll32.exe c:\windows\system32\icsdclt.dll,ICSClient
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [wcmdmgr] c:\windows\wt\updater\wcmdmgrl.exe -launch
mRun: [Fonawy] c:\program files\fonawy standard\Fonawy
mRunServices: [SSDPSRV] c:\windows\system32\ssdpsrv.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\toshib~1.lnk - c:\program files\toshiba\smartfacev\SmartFaceVWatcher.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Trusted Zone: netzero.com
Trusted Zone: netzero.net
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - file:///D:/games/WebDriverFullInstall.exe
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll
mASetup: {7E6FA2FF-CC41-4145-9C06-19C1F78DF855} - c:\program files\microsoft\microsoft maren\bin\reg.exe
mASetup: {970EA2E9-E7B8-45E1-9CB5-0DEB37C2C28D} - %SystemRoot%\System32\regsvr32.exe /s c:\program files\microsoft\microsoft maren\bin\TextService.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\rostami1\appdata\roaming\mozilla\firefox\profiles\z8p1qa4q.default\
FF - plugin: c:\users\rostami1\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-8 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-8 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-8 242896]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-1-20 20384]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-8 308064]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-6-3 92008]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-5-5 7168]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 73728]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-5-5 30192]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-1-20 954368]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-5-16 9216]

=============== Created Last 30 ================

2010-04-18 00:15:27 2064 ----a-w- c:\windows\GrafEq Preferences.gpq
2010-04-18 00:15:17 0 ----a-w- c:\windows\PROTOCOL.INI
2010-04-18 00:15:03 50 ----a-w- c:\windows\GrfqPref.gpq
2010-04-18 00:14:59 0 d-----w- c:\program files\Pedagoguery Software
2010-04-17 21:52:12 0 d-----w- c:\users\rostami1\appdata\roaming\enchant
2010-04-17 21:50:25 0 d-----w- c:\users\rostami1\AbiSuite
2010-04-17 21:48:14 0 d-----w- c:\program files\AbiWord
2010-04-17 21:29:51 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-17 21:29:51 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-17 21:29:51 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-17 21:29:41 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-17 21:29:40 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-17 21:28:13 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-17 21:27:50 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-17 21:27:43 902024 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-17 21:27:42 98192 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2010-04-17 21:27:42 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2010-04-17 21:27:42 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
2010-04-17 21:27:42 328704 ----a-w- c:\windows\system32\BFE.DLL
2010-04-17 21:27:42 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-17 21:27:42 220040 ----a-w- c:\windows\system32\drivers\netio.sys
2010-04-17 21:27:42 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-17 21:26:54 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-17 21:19:15 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-12 01:30:05 0 d-----w- c:\users\rostami1\appdata\roaming\PeerNetworking
2010-04-11 23:11:57 0 d-----w- c:\users\rostami1\appdata\roaming\EMCO
2010-04-11 23:11:35 0 d-----w- c:\program files\EMCO
2010-04-11 20:58:13 0 d-----w- c:\program files\Fonawy Standard
2010-04-10 01:50:09 0 d-----w- C:\New Folder
2010-04-10 01:48:55 0 d--h--w- C:\$AVG
2010-04-09 23:28:44 45056 ----a-w- c:\windows\system32\wtcpl.cpl
2010-04-09 23:28:29 0 d-----w- c:\windows\wt
2010-04-09 23:22:40 84 ---h--w- C:\IPH.PH
2010-04-08 23:33:16 0 d-----w- c:\program files\uTorrent
2010-04-08 23:32:25 0 d-----w- c:\users\rostami1\appdata\roaming\uTorrent
2010-04-08 22:23:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-08 22:23:01 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-08 22:22:53 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-08 22:22:49 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-08 22:19:51 0 d-----w- c:\program files\AVG
2010-04-08 22:19:25 0 d-----w- c:\programdata\avg9
2010-03-30 23:36:40 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-30 23:36:35 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-30 23:36:34 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-03-30 23:32:40 0 d-----w- c:\users\rostami1\New Folder

==================== Find3M ====================

2010-04-08 22:10:26 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-08 22:10:26 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-08 22:10:26 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-09 16:28:40 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01:47 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-05-05 01:17:15 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-05 00:00:28 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2009-05-05 00:00:26 4 --sh--r- c:\windows\system32\drivers\taishop.sys

============= FINISH: 15:13:12.62 ===============


Report •

#3
April 25, 2010 at 13:32:50
Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 1/20/2009 7:44:13 PM
System Uptime: 4/25/2010 3:03:20 PM (0 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: AMD Turion(tm) X2 Dual-Core Mobile RM-70 | Socket M2/S1G1 | 2000/1800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 226 GiB total, 163.558 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel

==== System Restore Points ===================


==== Installed Programs ======================

µTorrent
AbiWord 2.8.4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
Apple Software Update
Atheros Driver Installation Program
Atheros Wi-Fi Protected Setup Library
ATI Catalyst Install Manager
AVG Free 9.0
Camera Assistant Software for Toshiba
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CD/DVD Drive Acoustic Silencer
ColdCallBlocker
Dev-C++ 5 beta 9 release (4.9.9.2)
EMCO MoveOnBoot v2.1
Free 3GP Video Converter version 3.4
Free YouTube to iPod Converter version 3.1
FreeRIP v3.1
Google Chrome
Google Desktop
Google Toolbar for Internet Explorer
GrafEq
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HyperCam
Java(TM) 6 Update 13
Java(TM) 6 Update 6
Memeo AutoBackup
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Maren
Microsoft Office Suite Activation Assistant
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft® Arabic True Type Open Fonts Pack
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Picasa 2
QuickBooks Financial Center
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Skins
Skype™ 4.0
Synaptics Pointing Device Driver
The Font Thing
TomTom HOME 2.6.4.1641
TomTom HOME Visual Studio Merge Modules
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Face Recognition
TOSHIBA Games
TOSHIBA Hardware Setup
TOSHIBA Recovery Disc Creator
Toshiba Registration
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Typing Instructor Deluxe
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC 9.0 Runtime
WildTangent Updater
WildTangent Web Driver
Windows 7 Upgrade Advisor
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
WordPerfect Office 2002
Yahoo! Messenger

==== End Of File ===========================


Report •

Related Solutions

#4
April 25, 2010 at 13:33:23
MBAM.txt


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4035

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

4/25/2010 3:29:09 PM
mbam-log-2010-04-25 (15-29-09).txt

Scan type: Quick scan
Objects scanned: 113138
Time elapsed: 9 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Report •

#5
April 25, 2010 at 16:24:43
You need to uninstall utorrent as it in known to harbor spyware>

Go to start> control panel> click the Java icon> update tab> update now and allow Java to update. If you are prompted for any add-ons uncheck the box and continue. The newest Java is version 6 update 20. Then go to add/ remove programs and uninstall the older versions of Java.

Please download Combofix with internet explorer instead of any other browser if possible.

Remember..your AVG antivirus and Windows Defender must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#6
April 25, 2010 at 18:53:44
Combo-Fix.txt


ComboFix 10-04-21.01 - ROSTAMI1 04/25/2010 20:40:30.1.2
- x86
Microsoft® Windows Vista™ Home Premium
6.0.6001.1.1252.1.1033.18.2813.1762 [GMT -5:00]
Running from: c:\users\ROSTAMI1\Desktop\Combo-
Fix.exe.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-
831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2036848099-160209580-2947422689-
500
c:\$recycle.bin\S-1-5-21-2103767596-3858802898-114832178-
500
C:\install.exe
c:\windows\system32\service
c:\windows\system32\service\04012010_TIS17_SfFniAU.log
c:\windows\system32\service\06052009_TIS17_SfFniAU.log
c:\windows\system32\service\12082009_TIS17_SfFniAU.log
c:\windows\system32\service\21062009_TIS17_SfFniAU.log

.
((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-
26 )))))))))))))))))))))))))))))))
.

2010-04-26 01:46 . 2010-04-26 01:46 -------- d-----w-
c:\users\Default\AppData\Local\temp
2010-04-26 01:33 . 2010-04-12 22:29 411368 ----a-w-
c:\windows\system32\deployJava1.dll
2010-04-25 20:38 . 2010-04-25 20:39 -------- d-----w-
c:\users\ROSTAMI1\AppData\Local\MigWiz
2010-04-25 20:17 . 2010-04-25 20:17 -------- d-----w-
c:\users\ROSTAMI1\AppData\Roaming\Malwarebytes
2010-04-25 20:17 . 2010-03-29 20:24 38224 ----a-w-
c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-25 20:17 . 2010-04-25 20:17 -------- d-----w-
c:\program files\Malwarebytes' Anti-Malware
2010-04-25 20:17 . 2010-04-25 20:17 -------- d-----w-
c:\programdata\Malwarebytes
2010-04-25 20:17 . 2010-03-29 20:24 20824 ----a-w-
c:\windows\system32\drivers\mbam.sys
2010-04-22 20:28 . 2010-04-22 20:28 242696 ----a-w-
c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-22 20:27 . 2010-04-22 20:27 1689952 ----a-w-
c:\programdata\avg9\update\backup\avgupd.dll
2010-04-18 00:14 . 2010-04-18 00:14 -------- d-----w-
c:\program files\Pedagoguery Software
2010-04-17 21:52 . 2010-04-17 21:52 -------- d-----w-
c:\users\ROSTAMI1\AppData\Roaming\enchant
2010-04-17 21:50 . 2010-04-17 21:50 -------- d-----w-
c:\users\ROSTAMI1\AbiSuite
2010-04-17 21:48 . 2010-04-17 21:49 -------- d-----w-
c:\program files\AbiWord
2010-04-17 21:29 . 2010-02-23 11:32 212992 ----a-w-
c:\windows\system32\drivers\mrxsmb10.sys
2010-04-17 21:29 . 2010-02-23 11:32 78848 ----a-w-
c:\windows\system32\drivers\mrxsmb20.sys
2010-04-17 21:29 . 2010-02-23 11:32 105984 ----a-w-
c:\windows\system32\drivers\mrxsmb.sys
2010-04-17 21:29 . 2010-02-18 14:49 3598216 ----a-w-
c:\windows\system32\ntkrnlpa.exe
2010-04-17 21:29 . 2010-02-18 14:49 3545992 ----a-w-
c:\windows\system32\ntoskrnl.exe
2010-04-17 21:28 . 2010-03-04 18:54 430080 ----a-w-
c:\windows\system32\vbscript.dll
2010-04-17 21:27 . 2010-02-18 17:36 902024 ----a-w-
c:\windows\system32\drivers\tcpip.sys
2010-04-17 21:27 . 2010-02-18 17:36 220040 ----a-w-
c:\windows\system32\drivers\netio.sys
2010-04-17 21:27 . 2010-02-18 17:36 98192 ----a-w-
c:\windows\system32\drivers\FWPKCLNT.SYS
2010-04-17 21:27 . 2010-02-18 14:11 190464 ----a-w-
c:\windows\system32\iphlpsvc.dll
2010-04-17 21:27 . 2010-02-18 13:59 438272 ----a-w-
c:\windows\system32\IKEEXT.DLL
2010-04-17 21:27 . 2010-02-18 13:59 595456 ----a-w-
c:\windows\system32\FWPUCLNT.DLL
2010-04-17 21:27 . 2010-02-18 13:57 328704 ----a-w-
c:\windows\system32\BFE.DLL
2010-04-17 21:27 . 2010-02-18 11:52 25088 ----a-w-
c:\windows\system32\drivers\tunnel.sys
2010-04-17 21:19 . 2010-01-15 00:04 98304 ----a-w-
c:\windows\system32\cabview.dll
2010-04-17 21:16 . 2010-04-17 21:16 1035032 ----a-w-
c:\programdata\avg9\update\backup\avgupd.exe
2010-04-12 01:30 . 2010-04-12 01:30 -------- d-----w-
c:\users\ROSTAMI1\AppData\Roaming\PeerNetworking
2010-04-11 23:11 . 2010-04-11 23:11 -------- d-----w-
c:\users\ROSTAMI1\AppData\Roaming\EMCO
2010-04-11 23:11 . 2010-04-11 23:11 -------- d-----w-
c:\program files\EMCO
2010-04-11 21:21 . 2010-04-11 21:21 -------- d-----w-
c:\users\ROSTAMI1\AppData\Local\Mozilla
2010-04-11 20:58 . 2010-04-11 22:14 -------- d-----w-
c:\program files\Fonawy Standard
2010-04-10 01:50 . 2010-04-10 01:50 -------- d-----w-
C:\New Folder
2010-04-10 01:48 . 2010-04-10 01:48 -------- d-----w-
C:\$AVG
2010-04-09 23:28 . 2010-04-09 23:33 -------- d-----w-
c:\windows\wt
2010-04-08 23:32 . 2010-04-26 01:27 -------- d-----w-
c:\users\ROSTAMI1\AppData\Roaming\uTorrent
2010-04-08 22:23 . 2010-04-08 22:23 12464 ----a-w-
c:\windows\system32\avgrsstx.dll
2010-04-08 22:23 . 2010-04-22 20:28 242896 ----a-w-
c:\windows\system32\drivers\avgtdix.sys
2010-04-08 22:22 . 2010-04-08 22:22 216200 ----a-w-
c:\windows\system32\drivers\avgldx86.sys
2010-04-08 22:22 . 2010-04-26 01:30 -------- d-----w-
c:\windows\system32\drivers\Avg
2010-04-08 22:22 . 2010-04-08 22:22 29512 ----a-w-
c:\windows\system32\drivers\avgmfx86.sys
2010-04-08 22:19 . 2010-04-08 22:19 -------- d-----w-
c:\program files\AVG
2010-04-08 22:19 . 2010-04-08 22:19 -------- d-----w-
c:\programdata\avg9
2010-04-08 22:09 . 2010-04-08 22:09 -------- d-----w-
c:\users\ROSTAMI1\AppData\Local\Trend Micro
2010-04-06 03:30 . 2010-04-06 03:30 -------- d-----w-
c:\users\ROSTAMI1\AppData\Local\Microsoft Help
2010-03-30 23:36 . 2010-02-20 23:39 24064 ----a-w-
c:\windows\system32\nshhttp.dll
2010-03-30 23:36 . 2010-02-20 21:18 411136 ----a-w-
c:\windows\system32\drivers\http.sys
2010-03-30 23:36 . 2010-02-20 23:37 31232 ----a-w-
c:\windows\system32\httpapi.dll
2010-03-30 23:32 . 2010-03-30 23:32 -------- d-----w-
c:\users\ROSTAMI1\New Folder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 01:33 . 2008-05-05 18:33 -------- d-----w-
c:\program files\Common Files\Java
2010-04-26 01:33 . 2008-05-05 18:33 -------- d-----w-
c:\program files\Java
2010-04-25 20:35 . 2009-05-06 23:10 -------- d-----w-
c:\users\ROSTAMI1\AppData\Roaming\Skype
2010-04-25 20:35 . 2009-05-06 23:11 -------- d-----w-
c:\users\ROSTAMI1\AppData\Roaming\skypePM
2010-04-19 00:57 . 2009-06-21 19:20 -------- d-----w-
c:\program files\Common Files\DVDVideoSoft
2010-04-19 00:57 . 2009-06-21 19:20 -------- d-----w-
c:\program files\DVDVideoSoft
2010-04-18 04:21 . 2006-11-02 11:18 -------- d-----w-
c:\program files\Windows Mail
2010-04-12 00:05 . 2009-12-17 22:13 -------- d-----w-
c:\program files\Sony
2010-04-11 22:33 . 2009-12-17 22:17 -------- d-----w-
c:\users\ROSTAMI1\AppData\Roaming\Sony
2010-04-08 23:28 . 2009-05-05 00:01 133312 ----a-w-
c:\users\ROSTAMI1\AppData\Local\GDIPFONTCACHEV1.DA
T
2010-04-08 23:21 . 2009-01-21 00:43 -------- d-----w-
c:\programdata\Microsoft Help
2010-03-31 00:14 . 2009-12-31 20:27 -------- d-----w-
c:\users\ROSTAMI1\AppData\Roaming\Publish Providers
2010-03-25 01:50 . 2010-03-25 01:50 -------- d-----w-
c:\program files\Alice 2.0
2010-03-09 16:28 . 2010-03-30 23:44 833024 ----a-w-
c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-30 23:44 78336 ----a-w-
c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-30 23:44 26624 ----a-w-
c:\windows\system32\ieUnatt.exe
2009-05-05 00:00 . 2009-05-05 00:00 13 --sh--r-
c:\windows\System32\drivers\fbd.sys
2009-05-05 00:00 . 2009-05-05 00:00 4 --sh--r-
c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run]
"swg"="c:\program
files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[2009-01-21 39408]
"Google
Update"="c:\users\ROSTAMI1\AppData\Local\Google\Update\
GoogleUpdate.exe" [2009-05-05 133104]
"TomTomHOME.exe"="c:\program files\TomTom HOME
2\TomTomHOMERunner.exe" [2009-06-03 251240]
"msnmsgr"="c:\program files\Windows
Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\RunOnce]
"Shockwave
Updater"="c:\windows\system32\Adobe\Shockwave
11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Fonawy"="c:\program files\Fonawy Standard\Fonawy" [X]
"StartCCC"="c:\program files\ATI
Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21
61440]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Camera Assistant Software"="c:\program files\Camera
Assistant Software for Toshiba\traybar.exe" [2008-04-29
417792]
"SynTPEnh"="c:\program
files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power
Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-
11-01 54608]
"SmoothView"="c:\program
files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16
448080]
"00TCrdMain"="c:\program
files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-03-19
716800]
"Windows Defender"="c:\program files\Windows
Defender\MSASCui.exe" [2008-01-21 1008184]
"Google Desktop Search"="c:\program files\Google\Google
Desktop Search\GoogleDesktop.exe" [2009-12-17 30192]
"NDSTray.exe"="NDSTray.exe" [BU]
"SunJavaUpdateSched"="c:\program files\Common
Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe"
[2009-05-26 413696]
"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2002-05-
08 20480]

c:\programdata\Microsoft\Windows\Start
Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe [2003-4-6 28672]
TOSHIBA Face Recognition Watcher.lnk - c:\program
files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [2008-4-
24 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curren
tversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesk
topNetwork3.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contr
ol\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Svc\S-1-5-21-2036848099-160209580-2947422689-
1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R3 GoogleDesktopManager-110309-193829;Google Desktop
Manager 5.9.911.3589;c:\program files\Google\Google
Desktop Search\GoogleDesktop.exe [2009-12-17 30192]
R3
IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\D
rivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program
files\Jumpstart\jswpsapi.exe [2008-04-16 954368]
R3
SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PE
Drv.sys [2008-01-18 9216]
S1 AvgLdx86;AVG Free AVI Loader Driver
x86;c:\windows\system32\Drivers\avgldx86.sys [2010-04-08
216200]
S1 AvgTdiX;AVG Free Network
Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-04-
22 242896]
S1 jswpslwf;JumpStart Wireless Filter
Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-
29 20384]
S2 avg9wd;AVG Free WatchDog;c:\program
files\AVG\AVG9\avgwdsvc.exe [2010-04-08 308064]
S2 ConfigFree Service;ConfigFree Service;c:\program
files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 TomTomHOMEService;TomTomHOMEService;c:\program
files\TomTom HOME 2\TomTomHOMEService.exe [2009-06-
03 92008]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log
Service;c:\program
files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04
126976]
S3 FwLnk;FwLnk
Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-
20 7168]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program
files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-
04-25 73728]


[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{7E6FA2FF-CC41-4145-9C06-
19C1F78DF855}]
2009-06-23 20:35 16624 ----a-w- c:\program
files\Microsoft\Microsoft Maren\Bin\reg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{970EA2E9-E7B8-45E1-9CB5-
0DEB37C2C28D}]
2009-06-26 05:50 422672 ----a-w- c:\program
files\Microsoft\Microsoft Maren\Bin\TextService.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-
21-2036848099-160209580-2947422689-1000Core.job
-
c:\users\ROSTAMI1\AppData\Local\Google\Update\GoogleUp
date.exe [2009-05-05 23:05]

2010-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-
21-2036848099-160209580-2947422689-1000UA.job
-
c:\users\ROSTAMI1\AppData\Local\Google\Update\GoogleUp
date.exe [2009-05-05 23:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?
brand=TSHB&bmod=TSHB
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: netzero.com
Trusted Zone: netzero.net
FF - ProfilePath -
c:\users\ROSTAMI1\AppData\Roaming\Mozilla\Firefox\Profile
s\z8p1qa4q.default\
FF - plugin:
c:\users\ROSTAMI1\AppData\Local\Google\Update\1.2.183.2
3\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant:
{20a82645-c095-46ed-80e3-08825760534b} -
c:\windows\Microsoft.NET\Framework\v3.5\Windows
Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js -
pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.allow_unrestricted_renego_everywhere__tem
porarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js -
pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js
- pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js
- pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js
- pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-
3208198ce6fd}.name",
"chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-
3208198ce6fd}.description",
"chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKLM-Run-jswtrayutil - c:\program
files\Jumpstart\jswtrayutil.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
HKLM-Run-ICSDCLT - c:\windows\rundll32.exe

***********************************************************************
***
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

***********************************************************************
***
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\C
lass\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-25 20:50:10
ComboFix-quarantined-files.txt 2010-04-26 01:50

Pre-Run: 176,404,615,168 bytes free
Post-Run: 212,754,935,808 bytes free

- - End Of File - - C0BDCD5EAE23725DE524DB2993D75E70


Report •

#7
April 25, 2010 at 18:59:14
Near the end of the ComboFix run, the part where everything
except for wallpaper and combofix window temporarily
disappears, a popup came up saying that such-and-such
program has stopped working, windows will notify of any solution
blahblah. I pressed ok, but the combofix kept going and
successfully produced the above report. Is this something I
should be worried about?

Report •

#8
April 25, 2010 at 19:05:56
Windows Defeneder "enabled" is the problem.

That why I spell it out:

Remember..your AVG antivirus and Windows Defender must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Must be your lucky day, these powerful tools will render your computer useless if you do not follow the directions properly.


Report •

#9
April 25, 2010 at 19:10:35
Should be a clean computer after you do the following.

Delete DDS from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •


Ask Question